/src/libtheora/lib/decinfo.c
Line | Count | Source |
1 | | /******************************************************************** |
2 | | * * |
3 | | * THIS FILE IS PART OF THE OggTheora SOFTWARE CODEC SOURCE CODE. * |
4 | | * USE, DISTRIBUTION AND REPRODUCTION OF THIS LIBRARY SOURCE IS * |
5 | | * GOVERNED BY A BSD-STYLE SOURCE LICENSE INCLUDED WITH THIS SOURCE * |
6 | | * IN 'COPYING'. PLEASE READ THESE TERMS BEFORE DISTRIBUTING. * |
7 | | * * |
8 | | * THE Theora SOURCE CODE IS COPYRIGHT (C) 2002-2009 * |
9 | | * by the Xiph.Org Foundation and contributors * |
10 | | * https://www.xiph.org/ * |
11 | | * * |
12 | | ******************************************************************** |
13 | | |
14 | | function: |
15 | | |
16 | | ********************************************************************/ |
17 | | |
18 | | #include <stdlib.h> |
19 | | #include <string.h> |
20 | | #include <limits.h> |
21 | | #include "decint.h" |
22 | | |
23 | | /*Only used for fuzzing.*/ |
24 | | #if defined(HAVE_MEMORY_CONSTRAINT) |
25 | | static const int MAX_FUZZING_WIDTH = 16384; |
26 | | static const int MAX_FUZZING_HEIGHT = 16384; |
27 | | #endif |
28 | | |
29 | | |
30 | | /*Unpacks a series of octets from a given byte array into the pack buffer. |
31 | | No checking is done to ensure the buffer contains enough data. |
32 | | _opb: The pack buffer to read the octets from. |
33 | | _buf: The byte array to store the unpacked bytes in. |
34 | | _len: The number of octets to unpack.*/ |
35 | 21.8k | static void oc_unpack_octets(oc_pack_buf *_opb,char *_buf,size_t _len){ |
36 | 2.48M | while(_len-->0){ |
37 | 2.46M | long val; |
38 | 2.46M | val=oc_pack_read(_opb,8); |
39 | 2.46M | *_buf++=(char)val; |
40 | 2.46M | } |
41 | 21.8k | } |
42 | | |
43 | | /*Unpacks a 32-bit integer encoded by octets in little-endian form.*/ |
44 | 18.6k | static long oc_unpack_length(oc_pack_buf *_opb){ |
45 | 18.6k | long ret[4]; |
46 | 18.6k | int i; |
47 | 93.4k | for(i=0;i<4;i++)ret[i]=oc_pack_read(_opb,8); |
48 | 18.6k | return ret[0]|ret[1]<<8|ret[2]<<16|ret[3]<<24; |
49 | 18.6k | } |
50 | | |
51 | 1.94k | static int oc_info_unpack(oc_pack_buf *_opb,th_info *_info){ |
52 | 1.94k | long val; |
53 | | /*Check the codec bitstream version.*/ |
54 | 1.94k | val=oc_pack_read(_opb,8); |
55 | 1.94k | _info->version_major=(unsigned char)val; |
56 | 1.94k | val=oc_pack_read(_opb,8); |
57 | 1.94k | _info->version_minor=(unsigned char)val; |
58 | 1.94k | val=oc_pack_read(_opb,8); |
59 | 1.94k | _info->version_subminor=(unsigned char)val; |
60 | | /*verify we can parse this bitstream version. |
61 | | We accept earlier minors and all subminors, by spec*/ |
62 | 1.94k | if(_info->version_major>TH_VERSION_MAJOR|| |
63 | 1.94k | (_info->version_major==TH_VERSION_MAJOR&& |
64 | 238 | _info->version_minor>TH_VERSION_MINOR)){ |
65 | 12 | return TH_EVERSION; |
66 | 12 | } |
67 | | /*Read the encoded frame description.*/ |
68 | 1.93k | val=oc_pack_read(_opb,16); |
69 | 1.93k | _info->frame_width=(ogg_uint32_t)val<<4; |
70 | 1.93k | val=oc_pack_read(_opb,16); |
71 | 1.93k | _info->frame_height=(ogg_uint32_t)val<<4; |
72 | 1.93k | val=oc_pack_read(_opb,24); |
73 | 1.93k | _info->pic_width=(ogg_uint32_t)val; |
74 | 1.93k | val=oc_pack_read(_opb,24); |
75 | 1.93k | _info->pic_height=(ogg_uint32_t)val; |
76 | 1.93k | val=oc_pack_read(_opb,8); |
77 | 1.93k | _info->pic_x=(ogg_uint32_t)val; |
78 | 1.93k | val=oc_pack_read(_opb,8); |
79 | 1.93k | _info->pic_y=(ogg_uint32_t)val; |
80 | 1.93k | val=oc_pack_read(_opb,32); |
81 | 1.93k | _info->fps_numerator=(ogg_uint32_t)val; |
82 | 1.93k | val=oc_pack_read(_opb,32); |
83 | 1.93k | _info->fps_denominator=(ogg_uint32_t)val; |
84 | 1.93k | if(_info->frame_width==0||_info->frame_height==0|| |
85 | 1.91k | _info->pic_width+_info->pic_x>_info->frame_width|| |
86 | 1.87k | _info->pic_height+_info->pic_y>_info->frame_height|| |
87 | 1.84k | _info->fps_numerator==0||_info->fps_denominator==0){ |
88 | 157 | return TH_EBADHEADER; |
89 | 157 | } |
90 | | #if defined(HAVE_MEMORY_CONSTRAINT) |
91 | | if(_info->frame_width>=MAX_FUZZING_WIDTH&&_info->frame_height>=MAX_FUZZING_HEIGHT){ |
92 | | return TH_EBADHEADER; |
93 | | } |
94 | | #endif |
95 | | /*Note: The sense of pic_y is inverted in what we pass back to the |
96 | | application compared to how it is stored in the bitstream. |
97 | | This is because the bitstream uses a right-handed coordinate system, while |
98 | | applications expect a left-handed one.*/ |
99 | 1.77k | _info->pic_y=_info->frame_height-_info->pic_height-_info->pic_y; |
100 | 1.77k | val=oc_pack_read(_opb,24); |
101 | 1.77k | _info->aspect_numerator=(ogg_uint32_t)val; |
102 | 1.77k | val=oc_pack_read(_opb,24); |
103 | 1.77k | _info->aspect_denominator=(ogg_uint32_t)val; |
104 | 1.77k | val=oc_pack_read(_opb,8); |
105 | 1.77k | _info->colorspace=(th_colorspace)val; |
106 | 1.77k | val=oc_pack_read(_opb,24); |
107 | 1.77k | _info->target_bitrate=(int)val; |
108 | 1.77k | val=oc_pack_read(_opb,6); |
109 | 1.77k | _info->quality=(int)val; |
110 | 1.77k | val=oc_pack_read(_opb,5); |
111 | 1.77k | _info->keyframe_granule_shift=(int)val; |
112 | 1.77k | val=oc_pack_read(_opb,2); |
113 | 1.77k | _info->pixel_fmt=(th_pixel_fmt)val; |
114 | 1.77k | if(_info->pixel_fmt==TH_PF_RSVD)return TH_EBADHEADER; |
115 | 1.77k | val=oc_pack_read(_opb,3); |
116 | 1.77k | if(val!=0||oc_pack_bytes_left(_opb)<0)return TH_EBADHEADER; |
117 | 1.72k | return 0; |
118 | 1.77k | } |
119 | | |
120 | 1.65k | static int oc_comment_unpack(oc_pack_buf *_opb,th_comment *_tc){ |
121 | 1.65k | long len; |
122 | 1.65k | int i; |
123 | | /*Read the vendor string.*/ |
124 | 1.65k | len=oc_unpack_length(_opb); |
125 | 1.65k | if(len<0||len>oc_pack_bytes_left(_opb))return TH_EBADHEADER; |
126 | 1.56k | _tc->vendor=_ogg_malloc((size_t)len+1); |
127 | 1.56k | if(_tc->vendor==NULL)return TH_EFAULT; |
128 | 1.56k | oc_unpack_octets(_opb,_tc->vendor,len); |
129 | 1.56k | _tc->vendor[len]='\0'; |
130 | | /*Read the user comments.*/ |
131 | 1.56k | _tc->comments=(int)oc_unpack_length(_opb); |
132 | 1.56k | len=_tc->comments; |
133 | 1.56k | if(len<0||len>(LONG_MAX>>2)||len<<2>oc_pack_bytes_left(_opb)){ |
134 | 129 | _tc->comments=0; |
135 | 129 | return TH_EBADHEADER; |
136 | 129 | } |
137 | 1.43k | if(0<_tc->comments){ |
138 | 152 | _tc->comment_lengths=(int *)_ogg_malloc( |
139 | 152 | _tc->comments*sizeof(_tc->comment_lengths[0])); |
140 | 152 | _tc->user_comments=(char **)_ogg_malloc( |
141 | 152 | _tc->comments*sizeof(_tc->user_comments[0])); |
142 | 152 | if(_tc->comment_lengths==NULL||_tc->user_comments==NULL){ |
143 | 0 | _tc->comments=0; |
144 | 0 | return TH_EFAULT; |
145 | 0 | } |
146 | 15.5k | for(i=0;i<_tc->comments;i++){ |
147 | 15.4k | len=oc_unpack_length(_opb); |
148 | 15.4k | if(len<0||len>oc_pack_bytes_left(_opb)){ |
149 | 117 | _tc->comments=i; |
150 | 117 | return TH_EBADHEADER; |
151 | 117 | } |
152 | 15.3k | _tc->comment_lengths[i]=len; |
153 | 15.3k | _tc->user_comments[i]=_ogg_malloc((size_t)len+1); |
154 | 15.3k | if(_tc->user_comments[i]==NULL){ |
155 | 0 | _tc->comments=i; |
156 | 0 | return TH_EFAULT; |
157 | 0 | } |
158 | 15.3k | oc_unpack_octets(_opb,_tc->user_comments[i],len); |
159 | 15.3k | _tc->user_comments[i][len]='\0'; |
160 | 15.3k | } |
161 | 1.28k | } else { |
162 | 1.28k | _tc->comment_lengths=NULL; |
163 | 1.28k | _tc->user_comments=NULL; |
164 | 1.28k | } |
165 | 1.31k | return oc_pack_bytes_left(_opb)<0?TH_EBADHEADER:0; |
166 | 1.43k | } |
167 | | |
168 | 1.27k | static int oc_setup_unpack(oc_pack_buf *_opb,th_setup_info *_setup){ |
169 | 1.27k | int ret; |
170 | | /*Read the quantizer tables.*/ |
171 | 1.27k | ret=oc_quant_params_unpack(_opb,&_setup->qinfo); |
172 | 1.27k | if(ret<0)return ret; |
173 | | /*Read the Huffman trees.*/ |
174 | 1.25k | return oc_huff_trees_unpack(_opb,_setup->huff_tables); |
175 | 1.27k | } |
176 | | |
177 | 1.27k | static void oc_setup_clear(th_setup_info *_setup){ |
178 | 1.27k | oc_quant_params_clear(&_setup->qinfo); |
179 | 1.27k | oc_huff_trees_clear(_setup->huff_tables); |
180 | 1.27k | } |
181 | | |
182 | | static int oc_dec_headerin(oc_pack_buf *_opb,th_info *_info, |
183 | 5.01k | th_comment *_tc,th_setup_info **_setup,ogg_packet *_op){ |
184 | 5.01k | char buffer[6]; |
185 | 5.01k | long val; |
186 | 5.01k | int packtype; |
187 | 5.01k | int ret; |
188 | 5.01k | val=oc_pack_read(_opb,8); |
189 | 5.01k | packtype=(int)val; |
190 | | /*If we're at a data packet...*/ |
191 | 5.01k | if(!(packtype&0x80)){ |
192 | | /*Check to make sure we received all three headers... |
193 | | If we haven't seen any valid headers, assume this is not actually |
194 | | Theora.*/ |
195 | 51 | if(_info->frame_width<=0)return TH_ENOTFORMAT; |
196 | | /*Follow our documentation, which says we'll return TH_EFAULT if this |
197 | | are NULL (_info was checked by our caller).*/ |
198 | 23 | if(_tc==NULL)return TH_EFAULT; |
199 | | /*And if any other headers were missing, declare this packet "out of |
200 | | sequence" instead.*/ |
201 | 23 | if(_tc->vendor==NULL)return TH_EBADHEADER; |
202 | | /*Don't check this until it's needed, since we allow passing NULL for the |
203 | | arguments that we're not expecting the next header to fill in yet.*/ |
204 | 5 | if(_setup==NULL)return TH_EFAULT; |
205 | 5 | if(*_setup==NULL)return TH_EBADHEADER; |
206 | | /*If we got everything, we're done.*/ |
207 | 0 | return 0; |
208 | 5 | } |
209 | | /*Check the codec string.*/ |
210 | 4.96k | oc_unpack_octets(_opb,buffer,6); |
211 | 4.96k | if(memcmp(buffer,"theora",6)!=0)return TH_ENOTFORMAT; |
212 | 4.90k | switch(packtype){ |
213 | | /*Codec info header.*/ |
214 | 1.96k | case 0x80:{ |
215 | | /*This should be the first packet, and we should not already be |
216 | | initialized.*/ |
217 | 1.96k | if(!_op->b_o_s||_info->frame_width>0)return TH_EBADHEADER; |
218 | 1.94k | ret=oc_info_unpack(_opb,_info); |
219 | 1.94k | if(ret<0)th_info_clear(_info); |
220 | 1.72k | else ret=3; |
221 | 1.94k | }break; |
222 | | /*Comment header.*/ |
223 | 1.65k | case 0x81:{ |
224 | 1.65k | if(_tc==NULL)return TH_EFAULT; |
225 | | /*We should have already decoded the info header, and should not yet have |
226 | | decoded the comment header.*/ |
227 | 1.65k | if(_info->frame_width==0||_tc->vendor!=NULL)return TH_EBADHEADER; |
228 | 1.65k | ret=oc_comment_unpack(_opb,_tc); |
229 | 1.65k | if(ret<0)th_comment_clear(_tc); |
230 | 1.31k | else ret=2; |
231 | 1.65k | }break; |
232 | | /*Codec setup header.*/ |
233 | 1.29k | case 0x82:{ |
234 | 1.29k | oc_setup_info *setup; |
235 | 1.29k | if(_tc==NULL||_setup==NULL)return TH_EFAULT; |
236 | | /*We should have already decoded the info header and the comment header, |
237 | | and should not yet have decoded the setup header.*/ |
238 | 1.29k | if(_info->frame_width==0||_tc->vendor==NULL||*_setup!=NULL){ |
239 | 17 | return TH_EBADHEADER; |
240 | 17 | } |
241 | 1.27k | setup=(oc_setup_info *)_ogg_calloc(1,sizeof(*setup)); |
242 | 1.27k | if(setup==NULL)return TH_EFAULT; |
243 | 1.27k | ret=oc_setup_unpack(_opb,setup); |
244 | 1.27k | if(ret<0){ |
245 | 205 | oc_setup_clear(setup); |
246 | 205 | _ogg_free(setup); |
247 | 205 | } |
248 | 1.07k | else{ |
249 | 1.07k | *_setup=setup; |
250 | 1.07k | ret=1; |
251 | 1.07k | } |
252 | 1.27k | }break; |
253 | 1 | default:{ |
254 | | /*We don't know what this header is.*/ |
255 | 1 | return TH_EBADHEADER; |
256 | 1.27k | }break; |
257 | 4.90k | } |
258 | 4.87k | return ret; |
259 | 4.90k | } |
260 | | |
261 | | |
262 | | /*Decodes one header packet. |
263 | | This should be called repeatedly with the packets at the beginning of the |
264 | | stream until it returns 0.*/ |
265 | | int th_decode_headerin(th_info *_info,th_comment *_tc, |
266 | 5.01k | th_setup_info **_setup,ogg_packet *_op){ |
267 | 5.01k | oc_pack_buf opb; |
268 | 5.01k | if(_op==NULL)return TH_EBADHEADER; |
269 | 5.01k | if(_info==NULL)return TH_EFAULT; |
270 | 5.01k | oc_pack_readinit(&opb,_op->packet,_op->bytes); |
271 | 5.01k | return oc_dec_headerin(&opb,_info,_tc,_setup,_op); |
272 | 5.01k | } |
273 | | |
274 | 1.07k | void th_setup_free(th_setup_info *_setup){ |
275 | 1.07k | if(_setup!=NULL){ |
276 | 1.07k | oc_setup_clear(_setup); |
277 | 1.07k | _ogg_free(_setup); |
278 | 1.07k | } |
279 | 1.07k | } |